Re: PGP vs. certificate from Verisign

[Valdis.Kletnieks () vt edu]

On Fri, 09 May 2003 13:22:27 CDT, Kamal Habayeb <mountainfury () hotmail com>  said:
> I'm trying to get some expert opinions on which is better.  Using Outlook
> 2002, would it be better to use PGP to encrypt messages or use the built-in
> option with a digital certificate from Verisign (or some other CA)?

Yes. ;)  (or more correctly, both are good solutions for different problems).

The *real* question is - is the threat model you're protecting against better
addressed with a web-of-trust defense or a heirarchical defense?

Basically, the PGP model works better if there's reason to believe that most
of the verifying will be done between people who know each other, or are likely
to have a large set of intermediaries in common ("I don't know who you are,
but 5 people I know all say you're Fred, so you probably are...").

The X.509 solution works better if there's little or no chance that the
entity you're encrypting from/to is previously known to you.

Alternatively, you have to ask the question "Do I trust my friends or Verisign
more, to make *SURE* that this entity is who they say they are?" (but make sure
to read http://www.cert.org/advisories/CA-2001-04.html and remember that this
incident is merely the most visible case of one of the single biggest problems
with the whole concept of X.509).

(Personally, I use PGP because the whole IETF/NANOG/security community is
fairly small and closed (perhaps 10K people, tops?), and PGP is a better fit
than X.509, which is which is designed for hundreds of millions of users that
you've never heard of before, and will never hear from again).
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: